Trend Micro: Almost All Targeted Attacks Start with Spear Phishing

According to a new Trend Micro report [PDF file], the security firm studied a wide range of targeted attacks between February and September of this year, and found that fully 91 percent involved spear phishing.

"Spear phishing is a form of phishing that makes use of information about a target to make attacks more specific and 'personal,'" writes The Register's John Leyden. "These attacks may, for example, refer to their targets by their specific name, rank, or position at the organisation instead of using generic titles common in broader (consumer focused) phishing campaigns. The end goal is usually to trick prospective victims into opening a malicious file attachment (in 94 percent of cases) or to follow links to an exploit-laden site."

"Government agencies and activist groups are most at risk of a spear phishing attack, according to the report," writes SearchSecurity's Robert Westervelt. "The public nature of the employees in the two sectors makes it easy for an attacker to find victim email addresses and target them with a convincing email containing a malicious file attachment. Companies in the heavy equipment, aviation and aerospace and financial industries are also at an elevated risk level."

"The research also determined that executable (.EXE) files were not commonly used as spear phishing email attachments, likely due to the fact that emails with .EXE file attachments are usually detected and blocked by any security solution," SC Magazine reports. "Instead they come in the form of [.RTF], [.XLS] and .ZIP files after being compressed and archived before being sent. In some cases, compressed files were password protected to further prevent their malicious content from being detected by security solutions."

Advertisement

"Experts suggest that it is almost impossible to defend against well-crafted and determined spear-phishing," Infosecurity reports. "But what the Tend Micro research says today is that organizations should do everything possible to make socially-engineered attacks less successful. 'The abundance of information on individuals and companies makes the job of creating extremely credible emails far too simple,' warns Rik Ferguson, director of security research and communications at Trend Micro. 'It’s a part of a custom defense that should not be ignored.'"